IN THE CLAIMS: 



Please AMEND the claims as follows: 

1 . (Once Amended) A method for transmitting and receiving packets of data 
via [a] an internetwork for a first host computer on a first computer network to a second host 
computer on a second computer network, the first and second computer networks including, 
respectively, first and second bridge computers, each of said first and second host computers 
and first and second bridge computers including a processor and a memory for storing 
instructions for execution by the processor, each of said first and second bridge computers 
further including memory for storing at least one predetermined encryption/decryption 
mechanism and information identifying a predetermined plurality of host computers as hosts 
requiring security for packets transmitted between them, the method being carried [carded] 
out [be] by means of the instructions stored on said respective memories and including the 
steps of: / 

(1) generating, by the first host computer, a first data packet for transmission to 
the second host computer, a portion of the first data packet including information 
representing an internetwork address of the first host computer and internetwork 
address of the second host computer; j 

(2) in the first bridge computers/intercepting the first data packet and determining 
whether the first and second host ^computers are among the predetermined plurality of 
host computers for which security is required, and if not, proceeding to step 5, and if 
so, proceeding to step 3; 

(3) encrypting the first data packet in the first bridge computer; 

(4) in the first bridge computer, generating and appending to the encrypted first 
data packet an encapsulation header, including: 

(a) key management information [identifying] providing a mechanism for 
identifying the predetermined encryption method, and 

(b) a new address header representing the source and destination for the 
first data packet, hereby generating a modified first data packet; 

(5) transmitting the first data packet or the modified first data packet from the first 
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A 

bridge computer via the internetwork to the second computer network; 

(6) intercepting the first data packet or the modified first data packet at the second 
bridge computer; 

(7) in the second bridge computer, if the encapsulation header has been appended 
to the first data packet, reading the encapsulation header, and determining 
therefrom whether the first data packet wa&enojrypted, [and if not, proceeding 
to step 10, and if so, proceeding to step 8] ancfTnt is determined that the first 
data packet has been encrypted, proceeding to step 8 and otherwise proceeding 
to step 10 ; < 

(8) in the second bridge computer, determining which encryption mechanism was 
used to encrypt the first data packet; 

(9) decrypting the first data packet by the second bridge computer; 

(10) transmitting the first data packet from the second bridge computer to the ^ 
second host computer[,] ; and 

(11) receiving the unencrypted firstr data packet at the second host computer. 

2. (Once Amended) The method of claim 1 , wherein the new address header 
for the modified first data packet includes the address of the second bridge computer. 

* { 

3. (Once Amended) The method of claim 2, wherein the new address header 
for the modified first data packet includes an identifier of the second bridge computer. 

4. (Once Amended) ^he method of claim 1, wherein the new address header 
of the modified first data packet includes the address of the second host computer. 



5. (Once Amended) The method of claim 4, wherein the new address header 
for the modified first data packed includes an identifier of the second bridge computer. 



6. (Once Amended) A system for automatically encrypting and decrypting 
data packets transmitted frcftn a first host computer on a first computer networks a second 
host computer on a second tomputer network, including: 

a first bridge computer coupled to the first computer network for intercepting 

data packets transmitted from said first computer network, the first bridge computer 
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including a first processor and a first memory storing instructions for executing 
encryption of data packets according to a predetermined encryption/decryption 
mechanism; / , 

a second bridge computer coupled to the secoAd computer network for 
intercepting data packets transmitted to said second Computer network, the second 
bridge computer including a second processor and a second memory storing 
instructions for executing decryption of the data packets; 

said first host computer including a third processor and a third memory 
including instructions for transmitting a first ^said] data packet from said first host to 
said second host; , < 

a first table stored in said first memory including a correlation of at least one 
of the first host computer and the first network with one of the second host computer 
and the second network, respectively; . 

instructions stored in said first memory for intercepting said first data packet 
before departure from said first networks determining whether said correlation is 
present in said first table, and if so, then executing encryption of said first data packet 
according to said predetermined encfyption/decryption mechanism, generating a new 
address header including a mechanism for identifying said predetermined 
encryption/decryption mechanism and appending said new address header to said 
encrypted first data packet, thereby generating a modified first data packet, and 
transmitting said modified first data packet on to the second host computer; 

a second table stored in said second memory including a correlation of at least 
one of the first host computer and the first network with one of the second host 
computer and the second network, respectively; and 

instructions stored in said second memory for intercepting said modified first 
data packet upon arrival at said second network, determining whether said correlation 
is present in said second table, and if so, then executing decryption of said first data 
packet according to said predetermined encryption/decryption mechanism, and 
transmitting the first datrf packet to the second host computer. 

7. (Once Amended) [The method of claim 6,] A system for automatically 
encrypting and decrypting data packets transmitted from a first host computer on a first 
computer network to a second host computer on a second computer network, including: 

SUN1P342R - 4 - Application No. 09/136,954 



a first bridge computer coupled to the first computed network for intercepting 

data packets transmitted from said first computer network, the first bridge computer 
including a first processor and a first memory storing instructions for executing 
encryption of data packets according to a predetermined encryption/decryption - 
mechanism; 

a second bridge computer coupled to the sedbnd computer network for 

intercepting data packets transmitted to said second computer network, the second 
bridge computer including a second processor and a second memory storing 
instructions for executing decryption of the data packets; 

said first host computer including a third processor and a third memory 

including instructions for transmitting a first^data packet from said first host to said 

second host; A 

1 ^ 

a first table stored in said first memory including a correlation of at least one 

of the first host computer and the first network with one of the second host computer 
and the second network, respectively; 

instructions stored in said first memory for intercepting said first data packet 

before departure from said first network, determining whether said correlation is 
present in said first table, and if so; then executing encryption of said first data packet 
according to said predetermined encryption/decryption mechanism, generating a new 
address header and appending. said new address header to said encrypted first data 
packet, thereby generating a modified first data packet, and transmitting said modified 
first data packet on to the second host computer, wherein sai^new address header 
includes [the] internetwork broadcast addresses of the first and second computer 
networks[.]; 

a second table stored in said second memory including a correlation of at least 

one of the first host computer and the first network with one of the second host 
computer and the second network, respectively; and 

instructions stored in said second memory for intercepting said modified first data 

packet upon arrival at said second network, determining whether said correlation is present in 
said second table, and if so, then executing decryption of said first data packet according to 
said predetermined encryption/decryption mechanism, and transmitting the first data packet 
to the second host computer. 
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8. The method of claim 7, wherein said new address header includes an identifier 
of the second bridge computer. 

9. The method of claim 6, wherein said new address header includes the address 
of the second host computer. v - 

10. The method of claim 9, wherein said new address header includes an identifier 
of the second bridge computer. 

1 1 . (Once Amended) A method for transmitting and receiving packets of data 
via an internetwork from a first host computer on a /first computer network to a second host 
computer on a second computer network, [the firs/and second computer networks,] each of 
said first and second host computer networks, each of said first and second host computers 
including a processor and a memory for storing /instructions for execution by the processor, 
each said memory storing at least [on] a predetermined encryption/decryption mechanism and 
a source/destination table identifying a predetermined plurality of sources and destinations 
requiring security for packets transmitted between them, the method being carried [carded] 
out by means of the instructions stored in said respective memories and including the steps 
of: 

(1) ^generating, by the first hf^st computer, a first data packet for transmission to 
the second host computer, a portion of the first data packet including information 
representing an internetwork address of a source of the first data p acket and an 
internetwork address of a destination of the first data p acket; 
\ (2) in the first host computer, determining whether the source and destination of 
the first data packet are among the predetermined plurality of sources and destinations 

identified in said source/destination table for which security is required, and if not, 

': / 

proceeding to step 5, and if s6, proceeding to step 3; 

(3) encrypting the first data packet in the first host computer; 

(4) in the first host computer, generating and appending to the encrypted first data 

t 

packet an encapsulation header, including: 

(a) key management information providing a mechanism for identifying 
the predetermined encryption method, and 
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(b) a new address header identifying the source and x destination for the first 
data packet , hereby generating a modified first data packet ; 

(5) transmitting the first data packet or the modified first data packet from the first 
host computer via the internetwork to the second computer network; 

(6) in the second host computer, if the encapsulation header has been appended to 
the first data packet, reading the encapsulation header, and determining therefrom 
whether the first data packet was encrypted, and if the first data packet was not 
encrypted [ not], ending the method, and if [so] the first data packet was encrypted , 
proceeding to step 7; ' -=a 

(7) in the second host computer, determining which encryption mechanism was 
used to encrypt the first data packet; and 

(8) decrypting the first data packet by the second host computer. 

12. (Once Amended) The method of claim 1 1 , wherein the new address 
header for the modified first data packet includes internetwork broadcast addresses of the first 
and second computer networks. 

13. The method of claim 11, wherein the source/destination table includes data 

/ / 

identifying internetwork addresses of the first and second host computers. 

/ 

14. (Once Amended) A. system for automatically encrypting and decrypting 
data packets transmitted from a first host computer on a first computer network [and having a 
first host computer on a first compufer/network and] , the first host computer having a_first 
processor and a first memory, via an internetwork to a second host computer on a second 

computer network [and having a second host computer on a second computer network and] 4 

* / 

the second host computer having* a second processor and a second memory, the system 
including: ^ 

security data stored in said first and second memories indicating that data 
packets meeting at least one predetermined criterion are to be encrypted; 

a predetermined, encryption/decryption mechanism stored in said first and 
second memories; 

a decryption key stored in said second memory; 

instructions stored in said first memory for determining whether to encrypt 
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one or more data packets, by determining whether said at least one predetermined 
criterion is met by said one or more data packets [data packet]; 

instructions stored in said first memory for executing encryption according to 
said predetermined encryption/decryption mechanism of at least a first [said data 
packet] one of said one or more data packets , when^said at least one predetermined 
criterion is met, for generating a new address header for said first data packet and for 
appending an encapsulation header to said first data packet and transmitting said first 
data packet to said second host, said new address header identifying broadcast 

addresses of the first and second computer networks, said encapsulation header 

* x ■ 

including at least said new address header; and 

instructions stored in said second mefnory for receiving said first data packet, 
determining whether it has been encrypted by reference to said security data in said 
second memory, and if so then determining which encryption/decryption mechanism 
was used for encryption, and decrypting said first data packet by use of said 
decryption key. ■ * 

15. (Once Amended) The system of claim 14, wherein: 

said security data comprises correlation data stored in each of said first and 

f 

second memories [identifying at least one of said first and second memories] 
identifying at least one of sai^first host computer and said first network correlated 
with at least one of said second host computer and said second network; 

the system further including instructions stored in said first memory for 

determining whether to encrjjpt data packets by inspecting for a match between source 

/ * 

and destination addresses of said data packets with said correlation data. 

-\ 

\f 

16. (Once Amended) A system for automatically encrypting data packets for 

/\ r , 

transmission from a first host computer on a first computer network to a second host 
computer on a second computer network, said first host computer including a first processor 
and a first memory including instructions for transmitting said data packets from said first 
host to said second host, the system including: 

a bridge computer coupled to the first computer network for intercepting at 
least a first [said] data packet transmitted from said first computer network, said 
bridge computer including a second processor and a second memory storing 
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instructions for executing encryption of said first data packet according to a 
predetermined encryption/decryption mechanism; 

information stored in said second memory correlating at least one of the first 
host computer and the first network with one of the second" host computer and the 
second network, respectively; and 

instructions stored in said second memory foY intercepting said first data 
packet before departure from said first network, determining whether said correlation 
is present, and if so, then executing encryption of said first data packet according to 
said predetermined encryption/decryption rfiechanism, generating a new address 
header including a mechanism for identifying ^aid predetermined 
encryption/decryption mechanism and appending said new address header to said first 
data packet, thereby generating a modified- first data packet on to the second host 
computer. 

^7. (Once Amended) A method for transmitting packets of data via an 
internetwork from a first host computer qn a first computer network to a second host 

computer on a second computer network, the first computer networks including a first bridge 

I 

computer, each of said first and second host computers and said bridge computer further 
including memory storing at least one predetermined encryption/decryption mechanism and 
information identifying a predetermined pluralityNQf host computers as hosts requiring 
security for packets transmitted betweeh them, the method being carried out according to the 
instructions stored in said respectiye.ihemories and including the steps of: 

(1) generating, by the-first host computer, a first data packet for transmission to 
the second host computer, a portion of the first data packet including information 
representing an internetwork address of the first host computer and an internetwork 
address of the second host computer. 

(2) in the first briclge computer, intercepting the first data packet and determining 
whether the first and second host computers are among the predetermined plurality of 
host computers for which security is required, and if not, proceeding to step 5, and if 
so, proceeding to step 3; 

(3) encrypting th6 first data packet in the first bridge computer; 

(4) in the first bridge computer, generating and appending to the first data packet 
an encapsulation header, including: 
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(a) key management information providing/a mechanism for identifying 
the predetermined encryption method, and 

(b) a new address header representing the'source and destination for the 
data packet, thereby generating a modified first data packet; and 

(5) transmitting the first data packet or the modified first data packet from the first 
bridge computer via the internetwork to the second computer network. 

18. (Once Amended) A system for aufronteticallv decrypting data packets 
transmitted from a first computer to a second computer, the system comprising: 

a bridge coupled to the second computer for intercepting a data packet from 

the first computer, the data packet having an address header and a body, the address 
header including broadcast addresses of the first and second computers, the bridge 
including a processor and a memory tftat stores instructions for decrypting data 
packets; 

information stored in the mepafcrv of the bridge correlating the first and second 

computers; and 

instructions stored in the memo/y for intercepting thexfeta packet, determining 

whether the information stored in thp memory of the bridge correlates the first and 
second computers, and if so, decrypting the data packet to generate a new data packet 
including a new address header, and transmitting the new data packet onto the second 
computer. - 

19. (Once Amended) ^ The system of claim 18, wherein the data packet 
includes the new data packet in encrypted form. 

y 

20. (Twice Amended) ' A system for automatically decrypting data packets 
transmitted from a first computer to a second computer, the system comprising: 

a bridge coupled to the second computer for intercepting a data packet from 

the first computer, the jflata packet including a header storing key management 
information providing a mechanism for identifying an encryption method used to 
encrypt the data packet, the bridge including a processor and a memory that stores 
instructions for decrypting data packets; 

information .stored in the memory of the bridge correlating the first and second 
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computers; and * 

instructions stored in the memory for intercepting the data packet, determining 

whether the information stored in the memory of the bridge correlates the first and 
second computers, and if so, decrypting the data packet to generate a new data packet 
including a new address header, and transmitting thejiew data packet onto the second 
computer. v 

21 . The method of claim 18, wherein the new/address header includes information 

indicating the first computer is a source of the new data packet and the second computer is a 
destination of the new data packet. 

22. (Once Amended) A method for receiving data packets from a first 



computer to a second computer through a bridge including a processor and a memory that 
stores instructions for decrypting data packets and information correlating the first and 
second computers, the method being carried out according to instructions in the memory of 
the bridge and comprising: 

intercepting a data packet from the first computer to the second computer, the 

data packet including an address header and a body, the address header including 
broadcast addresses of the first and sdcbnd computers and the body including address 
information representing an internetWork addrfess of the first computer and an 
internetwork address of the second computer, wherein the address information is 
encrypted; » 

determining whether the information stored in the memory of the bridge 

correlates the first and second computers, and if so, decrypting the data packet to 
generate a new data packet including a new address header; and 
transmitting the new data packet on to the second computer. 



23^ (Once Amended) The method of claim 22, wherein the body includes the 

new data packet in encrypted form. 

24. (Once Amended) A method for receiving data packets from a first 

computer to a second computer through a bridge including a processor and a memory that 
stores instructions for decrypting data packets and information correlating the first and 
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second computers, the method being carried out according to instructions in the memory of 

the bridge and comprising: 

intercepting a data packet from the first computer to the second computer, the 

data packet including information representing an internetwork address of the first 
computer and an internetwork address of the second corhputer; 

determining whether the information stored in the memory of the bridge 

correlates the first and second computers, and if so, decrypting the data packet to 
generate a new data packet including a^new address header; and 

transmitting the new data packet on to the second computer; ^ 

wherein the data packet includes a header storing key management information 

providing a mechanism for identifying an encryption method used to encrypt the new data 

packet. 

25. The method of claim 22, wherein the new address header includes information 
indicating the first computer is a source of thelibtv data packet and the second computer is a 
destination of the new data packet. ' ^ f ^ 

K 

26. (Once Amended) A method of encrypting data packets, comprising: 

receiving a data packet from a source for a destination, the data packet including a 

header section and a data section, the header section storing a source identifier and a 
destination identifier; , _ 

determining whether the data packet should be encrypted upon reference to at least 

one of the source and destination identifiers; 

if the data packet should be encrypted, encrypting the data packet to produce an 

encrypted data packet; and o' 

generating a new address header and appending the new address header to the a 

encrypted data packet, thereby generating a modified data packet; 

wherein the new address header includes a mechanism for identifying an encryption 
method used to generate the encrypted data packet. 

27. (Once Amended) The method of claim 26, further comprising 



transmitting the modified data packet to the destination. 
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28. The method of claim 26, wherein the determining whether the data packet 

should be encrypted comprises accessing stored information that indicates by presence or 
absence of the source identifier that data packets from the source should be encrypted. 

29. The method of claim 26, wherein the determining whether the data packet 
should be encrypted comprises accessing stored information that indicates by presence or 
absence of a correlation between the source and destination identifiers that data packets from 
the source for the destination should be encrypted. 

30. (Once Amended) The method of claim 26, wherein the encrypted data 

packet includes an encrypted data packet header section and an encrypted data packet data 
section, the encrypted data packet header section including the header section of the data 
packet after encryption and the encrypted data packet data section including the data section 
of the data packet after encryption, the modified data packet including a header portion 
storing the new address header and a data portion storing the encrypted data packet. 

3 1 . The method of claim 30, wherein the encrypted data packet header section 

stores the source and destination identifiers. 

T 

) 

32. (Once Amended) A method of encrypting data packets, comprising: 

receiving a data packet from a source for a destination, the data packet including a 

header section and a data section, the header section storing a source identifier and a 
destination identifier; 

determining whether the data packet should be encrypted upon reference to at least 

one of the source and destination identifiers; 

if the data packet should be encrypted, encrypting the data packet to produce an 

encrypted data packet; and 

generating a new address header and appending the new address header to the 

encrypted data packet, thereby generating a modified data packet; 

■ 7 

wherein the encrypted data packet includes an encrypted data packet header section 
and an encrypted data packet data section, the encrypted data packet header section including 
the header section of the data packet after encryption and the encrypted data packet data 
section including the data section of the data packet after encryption, the modified data 
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packet including a header portion storing the new address header^and a data portion storing 
the encrypted data packet; * ^ ' 

wherein the source is a host computer in a network and the header portion of the 
modified data packet stores an identifier of the network. / 

i 

33. (Once Amended) A method of encrypting data packets, comprising: 

receiving a data packet from a source for a destination, the data packet including a 

header section and a data section, the header section storing a source identifier and a 
destination identifier; : ^ J , 

determining whether the data packet shouM.b^encrypted upon reference to at least 

one of the source and destination identifiers; ^ 

if the data packet should be encrypted, encrypting the data packet to produce an 

encrypted data packet; and \< ( 

generating a new address header and appending the new address header to the 

encrypted data packet, thereby generating a modified data packet; 

wherein the encrypted data packet includes an encrypted data packet header section 

and an encrypted data packet data section, the encrypted data packet header section including 
the header section of the data packet afteifencryption and the encrypted. data packet data 
v section including the data section of the .data packet after encryption, the modified data 
packet including a header portion storing the new address header and a data portion storing 
the encrypted data packet; 1 

wherein the destination is a host computer in a network and the header portion of the 
modified data packet stores an identifier of the network. 

* *' :^ 
\. 

34. The method of claim 26, wherein the source is a host computer or a network. 

35. The method of claim 26, wherein the destination is a host computer or a 

\ 



network 



36. (Once AmendfedX A computer program product adapted for encrypting 



data packets, comprising: 

computer code that when executed causes the reception of a data packet from a source 
for a destination, the data packet including a header section and a data section, and the header 
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section storing a source identifier and a destination identifier; 

computer code that when executed causes the determination of whether the data 

packet should be encrypted upon reference to at least one of the source and destination 
identifiers; * 

computer code that when executed, if the data packet should be encrypted, causes the 

encryption of the data packet to produce an encrypted data packet; 

computer code that when executed causes the generation of a new address header and 
appends the new address header to the encrypted data packet, the new address header 
including a mechanism for identifying an encryption method used to generate the encrypted 
data packet, thereby generating a modified data packet; ancP 
a computer readable medium that stores the computer codes. 

37. The computer program product of claim 36, wherein the computer readable 
medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 

38. (Once Amended) A compute^ system for encrypting data packets, 

comprising: 

a processor; J> * - 

a computer readable medium coupled to the processor and storing a computer 

program comprising: . v ^ Y 

computer code that wlj^n executed by the processor causes the processor to 
receive a data packet from a source for a destination, the data packet including a 
header section and a data section? and the header section storing a source identifier 
and a destination identifier; —I 

computer code that when executed by the processor causes the processor to 

determine whether the data packet should be encrypted upon reference to at least one 
of the source and destination identifiers; 

computer code that when executed by the processor causes the processor to 

encrypt the data packet to f^oduce an encrypted data packet when it is determined that 
the data packet should be encrypted; and 

computer code tlptwhen executed by the processor causes the processor to 
generate a new address header and append the new address header to the encrypted 
data packet, thereby generating a modified data packet; 
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wherein the new address header includes a mechanism for identifying an 
encryption method used to generate the encrypted data packet. 

39. The computer program product of claim 3ST wherein the computer readable 
medium is a memory, random-access-memory, read-only-memorv. disk drive, or CD-ROM. 

Jl. ' 

40. (Once Amended) A method of decrypting data packets, comprising: 

receiving a data packet from a source for a destination, the data packet including a 

header section and a data section, the header section storing a source identifier identifying a 
broadcaa^ddress of the source and a destination identifier identifying a broadcast address of 
the destination; '< 

determining whether the data packet is encrypted upon reference to at least one of the 

source and destination identifiers; and \ 

if the data packet is encrypted, decrypting the data packet to produce a decrypted data 

packet. 

41 . The method of claim 40, further comprising transmitting the decrypted data 

( 

packet to the destination. ' > \ ' \ 

42. The method of claim 40, wherein the determining whether the data packet is 

encrypted comprises accessing stored information that indicates by presence or absence of the 
source identifier that data packets from the source are encrypted. 
y 

43. The method of claim 40, wherein the determining whether the data packet is 

encrypted comprises accessing storedTinformation that indicates by presence or absence of a 
correlation between the source and destination identifiers that data packets from the source 
for the destination are encrypted. r 

44. ( Once Amended) The method of claim 40, wherein the data section of the 

data packet includes an encrypted header section and an encrypted data section, the encrypted 
header section including a header of the decrypted data packet after encryption and the 
encrypted data section including a body of the decrypted data packet after encryption.. 

\ 
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45. The method of claim 44, wherein the encrypted header section stores the 

source and destination identifiers. 

46. The method of claim 44, wherein the source is a network and the encrypted 

header section stores an identifier of a host computer in the network. 

47. The method of claim 44, wherein the destination is a network and the . 

encrypted header section stores an identifier of a host computer in the network. 

48. The method of claim 40, wherein the source is a host computer or a network. 

49. The method of claim 40, wherein the destination is a host computer or a 

network. 

v 

50. (Once Amended) A computer program product adapted for decrypting 
data packets, comprising: 

computer code that when executed causes the reception of a data packet from a source 

for a destination, the data packet including a header section and a data section, and the header 
section storing a source identifier identifying a broadcast address of the source and a 
destination identifier identifying a broadcast address of the destination; 

computer code that when executed causes the determination of whether the data 

packet is encrypted upon reference to at least one of the source and destination identifiers; 

computer code that when executed and if the data packet is encrypted, causes the 

decryption of the data packet to produce a decrypted data packet; and 
a computer readable medium that stores the computer codes. 

5 1 . The computer program product of claim 50, wherein the computer readable 

medium is a memory, random-acceSs-friemory, read-only-memory, disk drive, or CD-ROM. 

52. (Once Amended) A computer system for decrypting data packets, 
comprising: 
a processor; 
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a computer readable medium coupled to the processor and storing a computer 

program comprising: 

computer code that when executed on the processor causes the processor to 

receive a data packet from a source for a destination, the data packet including a 
header section and a data section, the header section storing a source identifier 
identifying a broadcast address of the source and a destination identifier identifying a 
broadcast address of the destination; 

computer code that when executed on the processor causes the processor to 

determine whether the data packet is encrypted upon reference to at least one of the 
source and destination identifiers; and 

computer code that when executed oh the processor causes the processor to if 

the data packet is encrypted, decrypt the data^packet to produce a decrypted data 
packet. 

• ? 

53. The computer program product of claim 52, wherein the computer readable^ 
medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 

54. A system fofr automatically encrypting and decrypting datapackets transmitted from a 
first host computer on a first computer network, the first host computer having a first 
processor and a first memory, via an internetwork to a second host computer on a second 
computer network, the second host computer having a second processor and a second 
memory, the system including: ^ 

; security data stored in said first and second memories indicating that data 

packets meeting at least one, predetermined criterion are to be encrypted; 

instructions stored in said first memory for determining whether to encrypt 

one or more data packets, by^determining whether said at least one predetermined 

criterion is met by said one or more data packets; 

instructions stored in said first memory for executing encryption of at least a 

first one of said one or more data packets according to a predetermined 
encryption/decryption mechanism, when said at least one predetermined criterion is 
met, for generating a new address header for said first data packet and for appending 
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an encapsulation header to said first data packet and transmitting said first data packet 
to said second host, said encapsulation header including said new address header and 
a mechanism for identifying said predetermined encryption/decryption mechanism; 

instructions stored in said second memory for receiving said first data packet, 

determining whether it has been encrypted by reference to said security data in said 
second memory, and if so then determining which ehoEyption/decryption mechanism 
was used for encryption, and decrypting said first data packet by use of said 
encryption/decryption mechanism. y ' 

55. The system as recited in claim 54, wherein said predetermined encryption/decryption 
mechanism is provided in enprypted form within saichencapsulation header. 

56. The system of claim 15, wherein said correlation data includes: 

encryption rules identifying source and destination networks to and from which 
packets are to be encrypted; and ^ • ' 

host information indicating exceptions to the encryption rules. 

57. A system for automatically encrvptiifrg data packets for transmission from a first host 
computer on a first computer network to a second host computer on a second computer 
network, said first host computer including a first processor and a first memory including 
instructions for transmitting said data packets from said first host to said second host, the 
system including: 

a bridge computer coupled to the first computer network for intercepting at 

least a first data packet transmitted from said first computer network, said bridge 
computer including a second processor and a second memory storing instructions for 
executing encryption of said first data packet according to a predetermined 
encryption/decryption mechanism; 

information stored fti said second memory correlating at least one of the first 

host computer and the firs/network with one of the second host computer and the 
second network, respectively; and 

instructions stored in said second memory for intercepting said first data 

packet before departure from said first network, determining whether said correlation is 
present, and if so, then executing encryption of said first data packet according to said 
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predetermined encryption/decryption mechanism, generating a new address header including 
the internetwork broadcast addresses of the first and second computer networks and 
appending said new address header to said first data packet, thereby generating a modified 
first data packet on to the second host computer. 



58. A computer program product adapted for encrypting data packets, comprising: 

computer code th|it when executed on a computer causes the computer to receive a 

data packet from a source for a destination, the data packet including a header section and a 
data section, and the header section storing a source identifier and a destination identifier; 

computer code that when executed on a computer.causes the computer to determine 

whether the data packet should be encrypted upon reference to at least one of the source and 
destination identifiers; *~ , 

computer code that when executed on a computer causes the computer to, if the data 

packet should be encrypted, encrypt the data packet to produce an encrypted data packet; 

computer code that when executed on a Computer causes the computer to generate a 

'V 1 

new address header storing at least one of a broadcast address associated with the source and 
a broadcast address associated with the destination, and append the new address header to the 
encrypted data packet, thereby generating a modified data packet; and 

a computer readable medium that stores the computer codes. 



59. A computer system for encrypting data packets, comprising: 
a processor; 

a computer readable medium coupled to the processor storing a computer program 

comprising: ^ 

computer code that when executed by the processor causes the processor to 

receive a data packet fron^i a source for a destination, the data packet including a 
header section and a data section, the header section storing a source identifier and a 
destination identifier; 

i" 

computer code that when executed by the processor causes the processor to 

determine whether the data packet should be encrypted upon reference to at least one 
of the source and destination identifiers; 
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computer code that when executed by the processor causes the processor to if 

the data packet should be encrypted, encrypt the data packet to prd^uce an encrypted 
data packet; and ~ ' 

computer code that when executed by the processor causes the processor to 
generate a new address header storing at least one of a broadcast address associated 
the source and a broadcast address associated with the destination, and append the 
new address header to the encrypted data packet, thereKy generating a modified data 
packet. A 

60. ( Once Amended) A method of decrypting data packets, comprising: 

receiving a data packet from a source at a destination, the data packet including a 

header section and a data section, the header section storing a source identifier, a destination 
identifier, and encryption information providing a mechanism for identifying an encryption 
method used to generate the data packet; and 

decrypting the data packet to produce a decrypted data packet. 

. V 

61. The method as recited in claim 60, further comprising: 

determining from the header section whether the data packet is encrypted; and 

wherein decrypting the data packet to produce a decrypted data packet is performed if 
it is determined that the data packet is encrypted. 



62. The method as recited in claim 60, wherein decrypting the data packet to produce a 
decrypted data packet comprises: 

decrypting at least one of the data section of the data packet and the encryption 

information. 



63. The method as recited in claim 60, wherein the data section includes a packet header 
and a packet body, and wherein v decrypting the data section of the data packet comprises 
decrypting at least one of the jacket header and the packet body. 

64. ( Once Amended) Axomputer program product adapted for decrypting data 
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packets, comprising: 



computer code that when executed on a computer causey the computer to receive a 

data packet from a source at a destination, the data packet including a header section and a 
data section, the header section storing a source identifier, a destination identifier and 
encryption information including a mechanism for identifying ah encryption method used to 
generate the data packet; '' . 

computer code that when executed on a computer causes the computer to decrypt the 

data packet to produce a decrypted data packet; and ^ 1 ,t 

a computer readable medium that stores the computer codes. 



65. The computer program product as recited in claim 64, further comprising: 
computer c6de that when executed on a computer causes the computer to determine 

from the header section whether the data packet is encrypted; arid 

computer code that when executed on a computer causes the computer to decrypt the 

data packet if it is determined that the data packet is encrypted. 

66. The computer program product as recited in claim 64, further comprising: 

computer code that when executed on a computer causes the computer to decrypt the 

data packet using the encryption method. >' 

67. (Once Amended) A computer system for decrypting data packets, comprising: ~ 
a processor; 

a computer readable medium coupled to the processor storing a computer program 

comprising: 

computer code that when executed on the processor causes the processor to 

receive a data packet from a source at a destination, the data packet including a header 
section and a data section, the header section storing a source identifier, a destination 
identifier and encryption information including a mechanism for identifying an 
encryption method used to generate the data packet; 

computer code that when executed on the processor causes the processor to 

determine from the header section whether the data packet is encrypted; and 
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